FFT - Constructing A Secure SD-WAN Architecture v6.2 r6 [PDF]

Zitiervorschau

Constructing a Secure SD-WAN Architecture Subtitle

Presenter: Date:

1

Secure SD-WAN Objectives: • • • • •

Describe SD-WAN Understand the need for Secure SD-WAN View use cases and success stories Configure SD-WAN Monitor and manage SD-WAN

2

Traditional WAN • Used to extend computer networks to connect remote branch offices to data centers

HQ/Datacenter Public Cloud

• Expensive circuit costs SaaS

• Fixed circuits

• Long lead time • Proprietary hardware • Difficult to expand • Branch traffic hauled back to HQ Branch Office 3

The WAN is Complex and Needs Transformation 70%

Customers mentioned that existing WAN is slow and expensive

Security is “MUST”

60+

SaaS enterprises are adopting WAN solutions as part of digital transformation 90% Of SD-WAN vendors do no provide security. With direct internet access, security becomes critical at every branch

90%

WAN solution vendors don’t provide built-in NGFW security

4

Gartner: Security is the Biggest WAN Concern Customers reported the following as the top concerns during a WAN initiatives

72% Security

58% Performance 47% Cost

Gartner Survey Analysis: Address Security and Digital Concerns to Maintain Rapid SD-WAN Growth, Naresh Singh, 12 November 2018

Gartner does not endorse any vendor, product or service depicted in its research publications, and does not advise technology users to select only those vendors with the highest ratings or other designation. Gartner research publications consist of the opinions of Gartner's research organization and should not be construed as statements of fact. Gartner disclaims all warranties, expressed or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose.

5

Enter SD-WAN  Software-defined WAN (SD-WAN) HQ/Datacenter Public Cloud

SaaS

 Simplifies the management and operation of a WAN by separating the networking hardware from its control mechanism  Lets companies build higher performance WANs using lower cost and commercially available internet access  Transport agnostic

Branch Office 6

Enterprise SD-WAN Use Case

SD-WAN Use Cases to Transform Enterprise WAN Edge Network Operations

Network Security

Application Aware WAN Edge

Reduce WAN Cost for Lower Operating Expenses (Opex)

Simplify Operations for quick roll-out

Business applications steering with low latency

MPLS to broadband transition

Zero-touch deployment at scale

Top rated threat protection and detection for direct internet access

Quality of experience (QoE) for voice and video apps

Single pane of glass management

Security Operations

8

Fortinet Redefined WAN Edge with Secure SD-WAN Application Steering with High Availability Performance on any WAN Link

Consolidate Point Products

Simplification

Zero-Touch Deployment

SD-WAN

Functionality

Proven Built-in Next Generation Firewall (NGFW) with SSL Inspection

9

Enterprise SD-WAN Use Cases—MPLS Migration Traditional WAN Multiprotocol Label Switching (MPLS) Dependency Inflexible, expensive, good quality of service (QoS)

MPLS Private Cloud

Branch

Business Apps All traffic routed via MPLS circuits, QoS applied for business apps

Traffic Secured in the MPLS Provider Cloud Breakout in the provider cloud for all traffic Public Cloud

Internet 10

Enterprise SD-WAN Use Cases—MPLS Migration MPLS Backup with Local Breakout Critical Apps (Voice and Video) Best path is chosen depending on latency, jitter, and packet loss

MPLS

Private Cloud

Critical Apps (Voice and Video) Redirected to a new tunnel in case the WAN conditions are worse than the threshold

Branch IPsec VPN

Business Apps Load balanced across different lines so bandwidth is optimized

Public Cloud

Internet 11

Enterprise SD-WAN Use Cases—MPLS Migration MPLS Backup with Local Breakout Critical Apps (Voice and Video) Best path is chosen depending on latency, jitter, and packet loss

MPLS

Private Cloud

Critical Apps (Voice and Video) Redirected to a new tunnel in case the WAN conditions are worse than the threshold

Branch IPsec VPN

Business Apps Load balanced across different lines so bandwidth is optimized

Direct secure access to Internet, SaaS, and IaaS content Load balanced if needed

With an internet breakout, security is critical

Public Cloud

Internet 12

Enterprise SD-WAN Use Cases—MPLS Migration MPLS Replacement Replace expensive MPLS lines with cost-effective broadband

IPsec VPN

Private Cloud

Branch IPsec VPN

Public Cloud

With an internet breakout, security is critical

Internet 13

•

Pure Play SD-WAN Vendors FortiGate Secure SD-WAN

• • •

Application steering Link load balancing Traffic shaping

• •

•

Identification of cloud applications Dynamic WAN path controller Zero touch provisioning

Security

•

•

Application control database Multiple SLA strategies Enhanced application monitoring

Security

Evolution of Fortinet Secure SD-WAN

6.2 new features • • • • •

FortiOS 5.4

5.6

6.0

6.2

Forward error correction Expanded SLA strategies Enhanced SD-WAN analytics Tunnel bonding SOC4 SD-WAN acceleration

14

FOS 6.2 : Enable Best of Breed SD-WAN

Application Aware

Multi-Path Intelligence

WAN Resiliency

Visibility into 5000+ applications

Application steering based on expanded SLA

WAN path remediation forward error correction (FEC)

High application identification accuracy

Automated fail-over capabilities

Tunnel bandwidth aggregation (per packet steering)

Simplified Monitoring

High-level monitoring of SD-WAN devices on a map Expanded historic SLA analytics

Segmentation

Multi-tenancy with Patented VDOM User-level segmentation for application

15

Transform your WAN Edge with Secure SD-WAN Single-Pane Management

Zero Touch Deployment

Secure SD-WAN

Application

WAN Path Controller

Best Protection Bundle

Routing

WAN Optimization

Anti Malware

Cloud Sandbox

FortiOS

IPS

Web Filtering

Threat Intelligence

Purpose-Built Security Processor

16

FortiGate Enterprise Routing Stack Routing Protocols

Advanced Features

BGP • • • • • Secure SD-WAN

•

• • • • • •

BGP, IPv4/IPv6 OSPF(v2/v3), IPv4/IPV6 ISIS RIPng, RIPv1/v2 Multicast sparse/dense including NAT Policy-based routing (PBR)

Hardware accelerated routing Per VDOM routing tables Virtual router support Graceful restart for BGP/OSPF BFD for BGP, OSPF, and Multicast BGP route reflector

Full Enterprise Routing Stack FortiOS

17

Fortinet

WAN Edge MQ 2018 vs 2019

NGFW / Enterprise

Cisco

UTM 18

Take Advantage Today  FortiGate provides best of breed SD-WAN features in base platform SD WAN

SD-WAN Ready

 Make your branch application aware with our WAN path controller  Consistent application performance with automated failover

 90% of SD-WAN vendors do not offer NGFW security NGFW

Proven NGFW

 Fortinet is the industry leader in security effectiveness and performance  Simple to manage integrated NGFW and SD-WAN in single offering

19

SD-WAN Assessment Program

SD-WAN Assessment Program—What is it? Part of the Cyber Threat Assessment Program for SD-WAN • No obligation analysis for the network to get visibility into application usage, security posture, and bandwidth utilization • No impact deployment that will not disrupt network connectivity or ongoing services • No uncertainty about the current level of security posture and whether additional or new security controls are needed

21

SD-WAN Assessment Program—What’s its Purpose? Customers get visibility into: • Application usage • Security posture

• Bandwidth utilization

Sources: 1

IDC. SD-WAN Infrastructure Forecast. 2018. Gartner. WAN Disruption and Transformation Survey. November 2018.

2,3,4

22

SD-WAN Assessment Program—How Does it Work? 1. Submit a request in the CTAP portal for a Secure SD-WAN Assessment 2. Install the configuration file on the FortiGate device and deploy for 3-7 days

3. Uses SD-WAN technologies and intelligence of FortiGuard Labs to identify thousands of applications 4. Upload the inspection logs to the portal and generate a Secure SD-WAN Assessment report 5. Customer’s log data is purged from the system after completion of the final Secure SD-WAN Assessment report

23

SD-WAN Assessment Program—Then What? • Partner reviews the Secure SD-WAN Assessment report

• Partner can deliver or present the report to the customer, including impartial recommendations • If the customer is ready to purchase FortiGate Secure SDWAN based on SD-WAN findings, the standard ordering process applies • If the customer has detailed questions, beyond the scope of the turnkey assessment, a PoC can be similarly configured • If there are questions or additional information required, contact [email protected]

24

Case Studies

Fortinet’s Global SD-WAN Adoption FortiGate SD-WAN customer

Business Drivers Digital transformation at the enterprise branch

Reduce WAN OpEx spending Consolidation of branch services

Hundreds of customers deployed the Fortinet SD-WAN solution worldwide 26

Goals Consolidation of Branch Services

 Unified best of breed approach, competing against powerful national supermarket chains  Undergoing digital transformation to simplify management and increase productivity

Challenges Large supermarket in Northern Europe

 Unique set of security and networking requirements for each retail member  Proliferation of IoT devices, demanding more bandwidth and security

30% Market share in the Netherlands

Solution

13 Independent retail organizations

 Patented VDOM functionality allowed customer to deploy multiple retail formulas from a single location  Extended the Fortinet SD-WAN solution to include switches, access points, and extenders from Fortinet

1500 branches, 10 datacenters

27

Goals Digital Transformation at the Enterprise Branch

 Broadband modernization program to provide internet access to students  Protect the personal information of student and staff

Challenges Large educational instituition

 MPLS architecture was not flexible to meet growing demands  Anticipated 80% of total volume of school traffic to be encrypted by 2020

34,000 students Solution Serves 76 schools

$388M operating budget

“We chose the FortiGate enterprise solution for several reasons, including SSL inspection capabilities, throughput, deployment flexibility, and internal staff expertise”. - John McCormick, CIO

28

Reduce WAN OpEx Spending

Multinational automotive supplier

Goals  Fully adopted cloud applications and SDN technologies

Challenges  Immediate need for SD-WAN deployment, with special requirements for WAN path control and SLA strategy  MPLS infrastructure was inflexible and costly

$18.7B revenue 81,000 employees

140 locations

Solution  Automated WAN path control with granular application transaction-level SLA  Multiple strategies for controlling application SLA

29

Competitive Overview Types of Competitors and How to Position Against Them

Competitive Positioning—Security Vendors Security Examples

How to Position Against •

Security Effectiveness: •

Fortinet has better security effectiveness than competitors, based on 3rd party independent testing, such as NSS Labs

•

Leader positions in the Gartner NGFW and UTM Magic Quadrant as well as eight recommendations from NSS Labs

Characteristics

• •

•

SD-WAN is a feature rather than the entire solution NGFW security built-in as part of the solution

The Fortinet Security Fabric provides end to end visibility and threat intelligence across a wide attack surface

•

Performance: •

The best performing VPN with dedicated security processors

•

NSS Labs SD-WAN testing gave Fortinet a Recommended rating, recognized for class leading QoE, the lowest total cost of ownership (TCO), and SSL decryption

Form factors

•

Hardware appliance or VM

•

Unmatched ability to scale branch office SD-WAN deployments with FortiGate and FortiManager using zero-touch provisioning (cite case studies when appropriate) 31

Competitive Positioning—Pure Play SD-WAN Pure Play SD-WAN Examples

How to Position Against •

Secure SD-WAN vs SD-WAN •

Both Gartner and NSS Labs recognize the importance of security for SD-WAN

•

Better end to end visibility and threat intelligence across a wide attack surface with the Security Fabric

Characteristics

• •

Entire solution is SD-WAN

•

No built-in NGFW security

•

Form Factors

Typically a startup or was a recent startup

•

•

Performance •

The best performing VPN with dedicated security processors

•

NSS Labs gave Fortinet a Recommended rating, recognized for class leading QoE, the lowest TCO, and SSL decryption

• Licensing based on bandwidth

Lower TCO •

SD-WAN is built into every FortiGate, no license required

•

Customers avoid the need to have a second vendor for security, which would double their costs

Hardware appliance or VM

•

•

Bandwidth-based licensing is expensive

Market Realities •

Pure play vendors will eventually get acquired or go out of business, what happens to customer networks then?

32

Competitive Positioning—WAN Optimization Vendors WAN Optimization Examples

How to Position Against •

Market Realities •

SD-WAN enables the replacement of expensive MPLS circuits

with cheap broadband internet and has reduced the importance WAN optimization

Characteristics

•

•

Form Factors

Focuses on WAN, so the next logical progression would be SD-WAN

•

SD-WAN is a feature of a WAN optimization product or a component of a WAN solution

WAN optimization vendors must pivot to SD-WAN to stay relevant

Secure SD-WAN vs SD-WAN •

SD-WAN is one component in providing network security

•

NSS Labs SD-WAN testing gave Fortinet a Recommended rating, recognized for class leading QoE, the lowest total cost of ownership (TCO), and SSL decryption

•

No built-in NGFW security

•

Cannot help organizations with branch consolidation objectives

•

•

Hardware appliance or VM

•

The Security Fabric provides end to end visibility and threat intelligence across a wide attack surface

•

SD-Branch •

Fortinet Secure SD-WAN allows organizations to consolidate their WAN edge infrastructure and manage SD-WAN, security, access layer, and endpoints in a true single pane of glass console

33

Competitive Positioning—NSE Competitive Insider For more information on SD-WAN competitive positioning, look at the NSE Competitive Insider presentations: https://fuse.fortinet.com/p/do/sd/sid=6323

34

NSS Labs SD-WAN Report Results

NSS Labs SD-WAN—Industry’s First SD-WAN Group Test

 Inaugural group test of marketleading SD-WAN solutions

 Real world simulation of:  Enterprise deployment  Business critical traffic

 Scenarios with poor network conditions

36

NSS Labs SD-WAN v1.0 2018 (Products Tested) Only three Vendors Recommended out of ten participating

Recommended

Verified

Citrix Systems Netscaler SD-WAN

Caution

Refused Participation

Barracuda NGFW F-Series F80

FortiGate 61E

Versa Networks FlexVNF

Cradlepoint AER2200-600M

VMWare NSX SD-WAN by VeloCloud Edge Forcepoint NGFW 1101

Talari Networks Adaptive Private Networking (APN)

FatPipe Networks MPVPN/SD-WAN

37

Overall Results  Fortinet SD-WAN measured best in class for quality and TCO

38

Fortinet Receives Second Consecutive SD-WAN Recommended Rating from NSS Labs Only three vendors out of 60+ SD-WAN vendors achieved consecutive Recommended rating

Best ROI

Reliable QoE

Resilient HA

 Lowest TCO among all vendors

 NSS Labs Recommended voice and video QoE

 Best user experience in failure conditions

 Faster deployment with zerotouch provisioning in six minutes

 QoE delta is only ~5% lower than average QoE from all vendors

 Achieved best possible score for voice and video QoE

 Our TCO ~8X better than average TCO from all vendors

 Active and passive high availability

Built-in NGFW security has received five consecutive Recommended rating from the NSS Labs NGFW test 39

How to Position Fortinet Results  Proven best of breed SD-WAN  Highest QoE for VoIP, beating even pure play SD-WAN vendors (scoring 4.38 out of 4.41)  Sustained high quality for VoIP, even during brownout conditions when packet loss, latency, and jitter was introduced  Second best QoE for video, scoring 4.26 out of 4.53

 Only Recommended SD-WAN vendor with security rating  100% of evasions were blocked, with 99.9% security effectiveness  Five out of nine vendors missing NGFW security, which is critical for enterprises adopting SD-WAN for cloud applications

 Best TCO  Fortinet proved the best value with only $5 TCO  Purchase price vs value is at least 700% higher than other vendors

40

Introducing the World’s First SD-WAN ASIC

Ultra Fast SD-WAN

Best of Breed Security

Industry’s fastest application steering for efficient business operations

Enable best of breed, certified SDWAN and security with high performance

Ease of Use

SD-Branch Enabled

Best user experience with responsive accelerated overlay WAN

Accelerated security extension to access layer to enable SD-Branch transformation

41

World’s First SD-WAN ASIC (SOC4) X2

A53 QUAD

DDR4-32B

28,000

18X

36 GBPS

18 GBPS

CAPWAP

@ 1.4GHZ

@ 2400

DMPS

NETWORK PORTS

THROUGHPUT

IPSEC THROUGHPUT

SUPPORT

SECURITY PROCESSING UNIT SOC4 SOC3 A9 QUAD

DDR3-32B

10,000

10X

10 GBPS

3 GBPS

CAPWAP

@ 1GHZ

@ 2400

DMPS

NETWORK PORTS

THROUGHPUT

IPSEC THROUGHPUT

SUPPORT

X1

42

The Fortinet SD-WAN ASIC Powered FortiGate 100F 22

11.5

800

Gbps

Gbps

Mbps

Zero CPU Forwarding

IPSec

NGFW

2500

1.0 Gbps

Tunnels

SSL

43

FortiOS 6.2 Secure SD-WAN

SD-WAN Configuration Steps • Basic steps to set up SD-WAN • Enable SD-WAN • Configure routes • Configure security policies • Configure performance SLA • Configure SD-WAN rules • View usage monitoring

45

Enable SD-WAN Network > SD-WAN • Select the interfaces that will become members of the SD-WAN and provide a gateway for that interface.

NEW

• Physical interfaces that are referenced by any other configuration element (for example, routes or policies) will not appear in this list

NEW

• New in 6.2: Easily create IPsec VPN • New in 6.2: Optionally, provide a cost for the interface that the rules uses • View the SD-WAN usage of each member, based on Bandwidth, Volume, and Sessions • There can only be one SD-WAN interface per VDOM 46

SD-WAN IPsec VPN Wizard • What it does: • Simplifies dual VPN creation for SD-WAN

• How it does it: • Provides a VPN wizard in the SDWAN section that allows users to create an overlay VPN tunnel over each selected underlay transport link

• Use case: • To speed up VPN creation in simple SD-WAN deployments

47

Forward Error Correction (FEC) • What it does:

• Allows for dynamic remediation of packet loss or erroneous data caused by adverse WAN conditions

• How it does it:

• The sending FortiGate buffers the traffic, then generates and sends redundant packets along with the original payload through a VPN tunnel • The receiving FortiGate buffers the incoming packets and performs redundancy calculations based on the traffic (payload + redundant packets) to ensure the integrity of the original payload and recover from packet loss or transmission errors

• Use cases:

• Increase the reliability of WAN traffic sent through an overlay VPN tunnel established over a broadband internet link • Increase the QoE of voice or video traffic that is pinned to specific overlay tunnels 48

SD-WAN Virtual Interface • A virtual interface named SD-WAN is automatically created • All static routes and firewall policies must be configured using this virtual interface Network > Interfaces

Policy & Objects > IPv4 Policy Network > Static Routes

49

Dynamic Routing Support • New solution to overcome SD-WAN static network limitations

• Links SD-WAN and BGP in a dynamic network environment • This feature is currently CLI only

50

Performance SLA

Link Health Monitor

SLA Targets

NEW

Link Status 51

Performance SLA—Link Health Monitor Available Protocols via CLI: ping http tcp-echo udp-echo TWAMP

PING link monitor HTTP-GET link monitor TCP echo link monitor UDP echo link monitor Two-Way Active Measurement Protocol

• In FortiOS 6.2, Status Check is renamed Performance SLA • You can use two servers to test the quality of a link

• You can specify which SD-WAN members this SLA applies to 52

Link Quality Measurements • Status check also measures the link quality of each member interface based on latency, jitter, and packet loss percentage

NEW

53

Performance SLA—SLA Targets • You can specify multiple SLA targets in one performance SLA • Targets are only used when referenced by a rule

• Use Link Status to prevent flapping

54

SD-WAN Rules • Rules can match traffic based on: • Source IP address, destination IP address, or port number • Internet services database (ISDB) address object • Users or user groups • Type of service (ToS)

• Lets you route traffic through the member interfaces that best fit your needs

NEW

55

SD-WAN Rules—Manual

• New in FortiOS 6.2 • Use a manual rule to pin one or more applications to a specific SD-WAN member interface

56

SD-WAN Rules—Best Quality

Link quality = (a*latency)+(b*jitter)+(c*packet loss)+(d/bandwidth) 57

SD-WAN Rules—Lowest Cost (SLA)

• In FortiOS 6.2, Minimum Quality (SLA) is renamed Lowest Cost (SLA) • All of the traffic that matches the rule will be directed to a single interface 58

SD-WAN Rules—Maximize Bandwidth (SLA)

• New in FortiOS 6.2

• Load balances multiple sessions across participating SD-WAN members that meet the SLA 59

SD-WAN Rules—Internet Services & Application

61

SD-WAN Rules Precedence • SD-WAN rules are treated as policy-based routes

Monitor > Routing Monitor

62

SD-WAN Rules  SD-WAN rules are evaluated in the same way as the firewall policies: from top to bottom, using the first match Application Specific Rules

Implicit Rule

 Double-click on the implicit rule to display the load balancing options 63

SD-WAN Load Balancing Methods • Source IP (default) • Sessions from the same source IP address use the same interface

• Source-destination IP • Sessions with the same source and destination IP pair use the same interface

• Spillover • Use one interface until threshold is reached, then use the next interface

• Sessions • The number of sessions distributed is determined by the interface weights

• Volume • Sessions are distributed so that traffic volume is distributed by the interface weights

64

SD-WAN Rules IPv6 Support • IPv6 support added • CLI configuration only • Partial display in GUI

65

SD-WAN Link Status Monitoring Network > Performance SLA

Log & Report > System Events

66

SD-WAN Link Status Monitoring Cont’d

• Use the following command to verify which link is the preferred link

67

SD-WAN Usage Monitor • Real time SD-WAN usage monitor • View SD-WAN traffic distribution by bandwidth, volume, or session

68

Verify SD-WAN Traffic Routing

69

Verify SD-WAN Traffic Routing • Use the Forward Traffic logs or the packet capture tool to verify traffic routing. Log & Report > Forward Traffic

# diagnose sniffer 5.455914 port1 out 5.455930 port2 out 5.455979 port2 out 5.456012 port1 out 5.456043 port1 out

packet any 'port 443' 4 192.168.1.254.59785 -> 192.168.1.1.443: 192.168.1.1.443 -> 192.168.1.254.59785: 192.168.1.1.443 -> 192.168.1.254.59773: 192.168.1.1.443 -> 192.168.1.254.59773: 192.168.1.1.443 -> 192.168.1.254.59773:

syn 457459 syn 163440 927943 ack 929403 ack psh 930863

ack 457460 725411 725411 ack 725411 70

Traffic Shaping • Apply traffic shaping to SD-WAN traffic the same as any other traffic • Layer 7 analysis for QoS rules is based on users, apps, URLs

• Administrators can prioritize critical traffic over other traffic • There are two types of traffic shapers: Per IP and Shared

71

SD-WAN Integration in Fabric Topology

72

FortiOS Secure SD-WAN Management and Visibility: FortiManager

• New WAN health analytics in FortiManager for SD-WAN • Go to Table View, then click on the FortiGate you want to view 73

FortiManager—Zero-Touch Provisioning & Automation Turn-Key Provisioning for SD-WAN and SD-Branch • Use zero-touch provisioning for FortiGate, FortiSwitch, and FortiAP • Leverage templates to provide ease of policy configuration • SLA-based application steering • Ansible scripts are available on Github

74

FortiManager—SD-WAN Monitoring and Controls Performance, Bandwidth, and SLA Monitoring • SD-WAN bandwidth monitoring to log the interface UL/DL speeds (run 10 different times in 24hrs) • SLA logs and history monitoring forwarding to FortiAnalyzer Cloud for better SLA reporting

• Security Rating for best practice configuration management • View the Security Fabric Topology in FortiManager 75

FortiManager—Single Pane of Glass Management SD-WAN Central Management • Single pane for both management and logging (FortiManager and FortiAnalyzer) • VPN management (IPsec VPN, mesh configuration)

• SD-WAN management (health check servers, templates)

76

Conclusions:  Customers want WAN with local internet breakout  SD-WAN enables local internet breakout but this means added security risks  Most SD-WAN vendors do not have robust NGFW security  Many SD-WAN vendors recommend multiple devices for SD-WAN and security  Multiple devices add to the complexity and cost

 What customers need is Secure SD-WAN  A single device handles both the security and the SD-WAN needs 77

Key Takeaway  FortiGate changes the conversation from SD-WAN to Secure SD-WAN  Best of breed integrated SD-WAN networking and security capabilities in a single device reduces TCO

 FortiGate is SD-WAN ready:  Purpose-built security processor (ASIC) for high reliability  Enhanced application aware WAN path controller for QoS

 Security Fabric ready for easy visibility and control  FortiManager enables single pane management across thousands of enterprise branches

 360 Protection is the most comprehensive protection bundle 78

Lab Exercise: SD-WAN

Lab—Network Diagram

80

SD-WAN Exercise • In this exercise, you configure the SD-WAN virtual interface: • You perform all of the configurations from the Jumpbox server • The Lab Guide is on the desktop of the Jumpbox (FortiFIED app) • As part of the exercise, you create a rule to have traffic favor the best link

• You initiate some traffic in the form of a phone call and continuous ping to HQ • You introduce latency in the first link and observe the traffic switch over to the second link without dropping the call

81

Software-Defined WAN Session https://use.cloudshare.com/Class/x-x-x-x-x Student name: Passphrase:

Fortinet1!

Instructor Notes • The following slides are optional and can be used for the following: • To remind instructors how to interact with the Fast Track labs • To help students get started using the hands-on lab

• Feel free to use some, all, or none of the slides as part of your session • It is recommended to keep the initial instruction short and then assist students individually as needed • It is suggested to use no more than the first four of the following slides and only use the others on a case-by-case basis

83

Student Access • Classroom URL and password are provided by your instructor

84

Student Classroom Portal • View tabs across the top provide access to lab devices • FortiFIED Lab Guide: an interactive lab guide providing tasks and validating results

• Jumpbox Server: provides access to links, software, and tools necessary to complete tasks • Full Screen Button: makes current view full screen

85

FortiFIED Interactive Lab Guide  Enter a Name

 Application banner  Objectives list  Display tabs

 Rich text  Answer choice  Complete button

 Status bar  Scale text slider  Resize display bar

86

Adjusting the View 1. Right-click the browser tab and select duplicate from drop-down menu 2. Tear off the browser tab by clicking it and dragging the tab away from the browser 3. Arrange the browser windows side by side, based on personal preference 4. Use the browser zoom to adjust resolution of views based on preference • These same steps can be used to place a second browser window on a separate monitor

87

Keyboard Layouts • Keyboards on Windows and Linux hosts can be changed for non-US keyboard environments

• Windows host: 1. Under Environment Actions, use the keyboard dropdown list to select a keyboard 2. To apply the new keyboard, log out of Jumpbox, then log back in

88

Keyboard Layouts (cont) • Ubuntu 14.04 (NGFW) 1. Must be done from inside the host 2. Log in, click the gear icon on the top right and click System Settings…

3. Click Keyboard 4. Click Text Entry 5. Click + 6. Select a keyboard layout and click Add 7. Close the window 8. Click the Keyboard Layout icon on top right and click the new layout

89

Keyboard Layouts • Ubuntu 18.04 & Kali Host (Security Fabric & FortiWeb) 1. Must be done from inside the host 2. Log in, click the drop-down list on the top right and select the Settings icon

3. Click Region and Language and click the + icon under Input Sources 4. If required, use the button on the bottom of the window to search for a keyboard 5. Click the keyboard and click Add 6. Close the window 7. Click the Keyboard Layout icon on top right and click the new layout panel

90

Extended RDP Access • Easiest and quickest access is through the browser interface • RDP client access provided • RDP config download

• External address link

• Benefits • Allows students to use an interface that is most familiar to them • Custom configuration • Lets students use a tablet as a secondary screen

91

Use Tablet as a Secondary Screen • Install an RDP client on tablet (for example Parallels) • Email or transfer the CloudShare external access link to tablet • Tablets works well for Jumpbox access and the FortiFIED app • Secondary VMs still require using the web portal interface 92